Cabletron Systems Cabletron CyberSWITCH CSX5500 User Manual

Also see for CyberSWITCH 5500: Quick start Manual

Contents

USER’S GUIDE162 CyberSWITCHMultilevel security provides both user level security and device level security for local (on-node)database, Radius, and CSM. This provides added protection; first, a device will be authenticated,and then a particular user (on the device) will be authenticated.The feature also allows the configuration of an on-node device database at the same time as an off-node device database. Calls first check the on-node database (if enabled) and then the off-nodedatabase for the correct device. Authentication is based on device information received from thefirst matching database.S YSTEM OPTIONS AND I NFORMATIONThe second phase of security configuration involves the proper setting of administrative securityoptions. We have thus far defined the selected type of security we plan to use. We now need toenable security options, provide system information, and configure administrative sessions.System Options: You need to enable/disable PPP Link Security, Bridge MAC Address Security, IPHost ID Security, or Calling Line ID Security, based upon your network requirements.System Information: You need to assign a system name, password, and secret to the CyberSWITCHfor identification purposes.Administrative Session Information: You can achieve secure administration sessions with flexiblecontrol through the configuration of certain options, such as:• Selecting an authentication database for administration sessions.You may select an on-node database, a RADIUS server, a TACAS Server, or an ACE Server.• Specifying an inactivity session time-out.Since there are only a limited number of sessions available, this avoids the problem ofadministrator lockout because a user forgets to logout from the system.• Restricting Telnet access.This is done by allowing you to set the number of possible administrative Telnet sessions.Telnet access to the CyberSWITCH can be disabled, or the number of Telnet sessions can belimited to less than 3.• Accessing an emergency Telnet Server session.To access an emergency Telnet Server session, you first need to configure an emergency TelnetServer port. If the system administrator needs a Telnet session and all available Telnet sessionsare in use, they can then Telnet into this emergency port and disconnect inactive Telnet sessionsand begin a session of their own.D EVICE L EVEL D ATABASESIf device level security or multi-level security has been chosen, then the next phase of securityconfiguration involves setting up a device level authentication database, and then specifying thelocation of that database.The CyberSWITCH provides dial in/dial out access for remote devices via ISDN connections. Theinformation required to authenticate the remote device is maintained in a database that the systemqueries during connection establishment. The system allows this “device database” to be located inseveral optional environments.